A user who wants to avail himself of the services provided by a secure web site (such as a site that supports online banking) must typically authenticate himself to the site. This is often accomplished by having the user submit a public username along with a secret password shared only between the user and the bank. If the bank successfully verifies that the password is correct for the corresponding username, the user is permitted to avail himself of the services, such as checking account balances, making payments to third parties, etc.
More sophisticated user authentication schemes can require the user to provide a token capable of generating a One Time Password (OTP) that changes on the basis of time or an event, such a pressing a button on the token. A password based upon the OTP can be sent to the site along with a secret password (such as Personal Identification Number (PIN)) and a username. The site verifies the OTP password, the username and any other secret password before permitting the user to access the site services.
Another problem is authenticating the site to the user. Over the past few years, fraudsters have become increasingly adept at serving pages that masquerade as web site pages of third parties. Typically, links to these fraudulent pages are distributed via e-mails that allege some problem with a user's account and solicit from the user sensitive information, such as usernames and passwords to “logon” on fix the problem. For example, a user can receive an e-mail that purports to be from his bank announcing that his statement is ready to be viewed online by clicking a link in the e-mail. When the user clicks the link, he is directed to a web page that looks like the bank's site but is actually deployed by a fraudster. The user may enter his username and password, which is then received by the fraudster. The fraudster can sell this information or use it himself to logon to the actual bank site, logon as the user and obtain information about or money from the user's bank account. This process, known as phishing, is becoming increasingly widespread and is known to occur for auction sites, brokerage house sites, enterprise extranets and other types of sites provided over networks. Information sought from users by this technique includes usernames, passwords, credit card numbers, bank account numbers and the like.
What is needed is a reliable and robust technology for providing assurance to the user that the site he is viewing is the true and authentic site of the service he is seeking to use.